"This is kind of in the twilight zone," said Richard Smith, a security and privacy expert who runs a Web site called ComputerBytesMan.com. "You don't need to change text of email; you just need to change the script tags. That's what everybody else does," Smith said. MSN's Hotmail, for example, filters out JavaScript commands, or tags, in HTML email without changing words, according to an MSN representative. Many other Web-based services, such as bulletin boards and chat rooms, filter out JavaScript commands too. "If you don't filter JavaScript, then you can have malicious JavaScript-coded messages that start messing with somebody's email account," Smith noted. The software that Yahoo! uses automatically scans Web-enhanced email and replaces terms that can be confused with Web code. For security reasons, Yahoo!'s Osako would not disclose which terms are replaced. But an independent test by CNET News.com showed that the terms "eval" and "mocha" and "expression" were replaced with "review," "espresso" and "statement," respectively. British newsletter site NTK, which first reported the use of the filter, lists other terms that are replaced through Yahoo! Mail, including "JavaScript" to "java-script" and "livescript" to "live-script." "Yahoo! is always reviewing and updating our filtering and security systems as part of our ongoing efforts to continually enhance our service," Osaka said. But as far as Yahoo!'s filters go, "it just looks like buggy software," Smith said.
For the latest on everything from DVD standards and MP3s to your rights online, see the Personal Technology News Section.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
